Backdoor.IRC.Bot.B

Printer Friendly Page

Discovered: October 26, 2003
Updated: October 27, 2003 5:38:46 PM
Systems Affected: Windows

Backdoor.IRC.Bot.B is a backdoor that provides remote access to a compromised host. It is typically spread as a file attachment in spam e-mail. The backdoor also attempts to connect to a hard-coded IRC server.

Discovered: October 26, 2003
Updated: October 27, 2003 5:38:46 PM
Systems Affected: Windows

Backdoor.IRC.Bot.B is typically spread as a file attachment in spam e-mail. Messages with the following properties have been observed to include the backdoor:

Subject: hey, stop send letters to me!
Body: Hey!

Your computer sending e-mail virus Sobig.f!
I recieved message with it three times from you.
I think your PC is infected and many of your friends
and other people get infected messages.
It is not so new virus, why you didn't patch?
Please stop it, Find WMDWM (Sobig killer) somewhere
or run it from my attach. It file can kill only Sobig.f
from your computer and stop the spam from your PC.

Uff... bye...

Attachment: WMDVM.EXE

When the backdoor is run, the following registry entry is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRun MyApplet update = %path to backdoor executable%

This is so that the backdoor will execute each time the system is restarted.

The backdoor will then attempt to connect to the irc.wenet.ru IRC server via port 6667. The backdoor also opens TCP port 21653 on the compromised system for remote access purposes. Remote attackers may control the backdoor via this port.